Today we have deployed an update to Hosted Chef that will change the
default permissions that chef-client has on data bag items for any new
organizations that you create. Previously the default was to permit
chef-client to read, create, update, and delete data bag items. Any new
organizations created from this point on will instead to default to
allowing only read access.

Full details of the change and instructions on how to either make the same
change to your existing data bags, or allow full chef-client data bag
access in your new organizations can be found in this blog post: